Communication of PHI Can Be Oral, Written, or Electronic—Here’s What HIPAA Allows

HIPAA Coverage of PHI Forms

Under the HIPAA Privacy Rule, protected health information (PHI) is safeguarded regardless of format. Communication of PHI can be oral, written, or electronic—here’s what HIPAA allows and expects of you as a covered entity or business associate.

What counts as PHI by form

• Oral PHI: handoffs, phone updates, consults, bedside discussions, and voicemails.
• Written PHI: paper charts, intake forms, mailed results, printed schedules, and traditional faxes.
• Electronic PHI: EHR entries, emails, patient portal messages, e-faxes stored digitally, secure messaging, telehealth recordings, and backups in cloud systems.

Designated Record Set and form neutrality

Individuals have a right to access PHI in the designated record set—the records you use to make decisions about them—no matter the form. Whether information sits in a paper file or as electronic PHI in an EHR, the same Privacy Rule standards (like minimum necessary and permitted uses and disclosures) apply.

Safeguards for Oral Communications

HIPAA does not ban conversations. It requires reasonable safeguards so others can’t overhear more than is necessary. Your aim is to limit incidental disclosures while supporting care coordination.

Practical “reasonable safeguards”

• Lower your voice and step away from public areas for sensitive details.
• Confirm who is present and each person’s role before sharing PHI.
• Use private rooms for consultations and avoid speakerphones in open spaces.
• Share the minimum necessary; defer detailed identifiers to a more secure channel.
• Control whiteboards, sign-in sheets, and overhead paging to avoid excessive detail.

Common risk scenarios and fixes

• Hallways/elevators: postpone discussions or switch to a secure message after.
• Family at bedside: ask the patient’s preference before discussing specifics.
• Telehealth from home: use headsets, neutral backdrops, and private rooms.

Documentation of Oral Communications

HIPAA does not require you to record every conversation. Instead, maintain policies, workforce training records, and a disclosure history for those disclosures that must be accounted for. Keep authorizations and restriction agreements on file and document decisions that materially affect how you use or disclose PHI.

When documentation is required

• Authorizations: retain signed patient authorizations and related notes.
• Accounting of disclosures: track non–treatment, payment, and operations disclosures so you can produce an accounting upon request.
• Restrictions: if you accept a patient’s restriction request, document and honor it.
• Required-by-law disclosures: keep records supporting the legal basis and scope.
• Breach response: retain investigation, notification, and mitigation records.

Operational tips

• Use your EHR’s disclosure management and audit tools to centralize the log.
• Capture essentials: date, recipient, description of PHI, purpose, and authority.
• Retain required documentation for the applicable HIPAA retention period.

Electronic Communication of PHI

The Privacy Rule allows electronic communication of PHI when you apply reasonable safeguards. The Security Rule adds specific expectations for electronic PHI (ePHI), focusing on confidentiality, integrity, and availability.

Email and portals with patients

• Confirm addresses, use secure portals when possible, and limit identifiers in subject lines.
• Encrypt in transit and, where appropriate, at rest; attach only what is necessary.
• Honor patient preferences for format and channel when feasible.
• Ensure messages become part of the designated record set when clinically relevant.

Provider-to-provider exchange

• Use secure channels (for example, trusted networks, secure email, or direct exchange) with access controls and audit logging.
• Execute business associate agreements (BAAs) with vendors that create, receive, maintain, or transmit ePHI.
• Verify recipient identity and role before sending high-sensitivity details.

Telehealth and remote work

• Choose platforms with encryption, access controls, and audit capabilities.
• Harden endpoints: device encryption, automatic lock, patching, and remote wipe.
• Disable unauthorized recordings and store clinical media according to policy.

Security Rule Applicability

The Security Rule applies to ePHI that you create, receive, maintain, or transmit. It does not cover paper or purely oral PHI, though those remain protected by the Privacy Rule. Security standards are risk-based and scalable.

Administrative safeguards

• Risk analysis and risk management with periodic reassessment.
• Workforce training, sanctions, and role-based access policies.
• Vendor due diligence, BAAs, and documented security responsibilities.
• Contingency planning: backups, disaster recovery, and emergency operations.
• Incident response and breach reporting procedures.

Physical safeguards

• Facility access controls and visitor management.
• Workstation security and device/ media controls, including secure disposal.
• Environmental protections for server rooms and network closets.

Technical safeguards

• Unique user IDs, least-privilege access, and multifactor authentication.
• Encryption in transit and, where appropriate, at rest as a reasonable safeguard.
• Audit controls with retained logs and routine review.
• Integrity protections and transmission security for ePHI exchanges.

Text Messaging of PHI

HIPAA does not prohibit texting, but standard SMS/MMS typically lacks the safeguards you need. Without encryption, authentication, and audit trails, texting PHI can create unacceptable risk.

Risks with traditional texting

• No end-to-end encryption; content may persist on devices and carrier systems.
• Misdirected messages and group chats increase exposure.
• Lost or shared devices, screenshots, and forwarding defeat “minimum necessary.”
• Inadequate audit controls and unpredictable retention complicate disclosure history.

Enabling compliant messaging

• Adopt a secure messaging platform with encryption, identity verification, and centralized administration.
• Use mobile device management: remote wipe, automatic lock, and data loss prevention.
• Validate recipients through a managed directory; use role-based messaging.
• Enable audit logs, retention rules, and automatic expiry aligned to policy.
• Train staff; avoid texting orders or critical changes if organization policy forbids it.

Patient Consent for Electronic Communication

For treatment, payment, and healthcare operations, HIPAA generally does not require patient consent. For other purposes (such as marketing), written authorization is required. You may communicate with patients electronically if you use reasonable safeguards and respect their preferences; many organizations document the patient’s choice and any risk acknowledgments.

Patient rights and preferences

• Request confidential communications by alternative means or locations (for example, portal only, paper mail, or a specific phone number).
• Request access to their PHI in a readily producible electronic format.
• Opt in or out of email or text; you should accommodate reasonable requests.
• Verify identity before sharing PHI and respect any accepted restrictions.

Putting it into practice

• Record each patient’s channel preferences and any risk-informed choices.
• Use templated consent/acknowledgment language and retain it with the record.
• Reconfirm contact details periodically and update when proxies change.

Key takeaways

• PHI is protected in oral, written, and electronic forms under the Privacy Rule; ePHI also triggers Security Rule safeguards.
• Apply reasonable safeguards for conversations, document required disclosures, and maintain a reliable disclosure history.
• Use secure platforms, BAAs, and risk-based controls for all electronic communications, including texting.
• Honor patient preferences for electronic communication and obtain authorizations when required.

FAQs

What forms of PHI communication does HIPAA protect?

HIPAA protects PHI in every format—oral discussions, written records, and electronic PHI. The Privacy Rule covers all forms, while the Security Rule adds specific protections for ePHI created, received, maintained, or transmitted electronically.

How does HIPAA regulate oral communications of PHI?

HIPAA allows conversations for care but requires reasonable safeguards, such as speaking quietly, confirming who can hear, and sharing the minimum necessary. You do not need to log every conversation, but you must document required disclosures, accepted restrictions, and policies that govern oral exchanges.

What safeguards are required for electronic communication of PHI?

Safeguards are risk-based and typically include encryption, access controls, authentication, audit logging, secure platforms, BAAs with vendors, user training, and incident response. Verify recipients and limit identifiers, especially when emailing or texting.

Can patients object to electronic communication of their PHI?

Yes. Patients can request confidential communications by alternative means or locations and may opt out of email or text. You should accommodate reasonable requests, document preferences, and use authorizations when a disclosure is outside treatment, payment, or healthcare operations.